As ransomware attacks surge and hackers become increasingly bold about causing real-world damage and disruption in pursuit of profit, world governments have debated new strategies to curb the threat. In the United States, the Biden administration is forging ahead with a package of new measures that includes some very substantial rewards (up to $10 million) for information that leads to the identification of attackers that hit critical infrastructure.
Biden administration takes on ransomware attacks with rewards, educational campaigns, new anti-money laundering measures
The headline item of the package is an offer of a reward of up to $10 million for information leading to the identification of foreign actors that engage in malicious cyber activity against critical U.S. infrastructure. The rewards are not limited to ransomware attacks, but these are clearly a central focus after the recent incidents with Colonial Pipeline and JBS that caused serious real world supply line problems. However, there is one catch: the information must be linked to “state-sanctioned” actors. This makes it doubtful that the recent ransomware attacks on JBS and Colonial Pipeline would qualify, as though Russia clearly turns a blind eye to such groups the government is also not known to be involved with them in any way.
The White House has also created a task force to coordinate efforts among federal agencies to respond to the wave of ransomware attacks, and is creating a new website (stopransomware.gov) to provide information to the general public. The new site will offer public resources and information for businesses to help secure networks against ransomware attacks, consolidating many existing resources that were previously scattered among numerous federal government agency websites.
The Treasury Department’s Financial Crimes Enforcement Network has additionally been directed to engage with banks and tech industry companies on efforts to prevent money laundering occurring via cryptocurrency, the way in which nearly all ransomware attacks are monetized. This includes procedures for establishing faster tracing of payments in an effort to halt and reverse them, as occurred in the Colonial Pipeline case in which $2.3 million of the ransom payment was recovered.
The administration is promising further information on these new measures on Tuesday. The payments for information on ransomware attacks will be administered under the existing “Rewards For Justice” program, an initiative managed by the Department of State that has previously focused on stopping terrorist attacks. This tracks with recent comments by FBI director Christopher Wray comparing the current state of ransomware attacks to the terror threat level surrounding the 9/11 attacks, given that attackers seem to be taking a turn toward attempting to damage physical infrastructure and logistics chains. Mike Hamilton, Founder/CISO at Critical Insight (former DHS Vice-Chair for State, Local, Tribal, Territorial Government Coordinating Council (SLTTGCC)), explained how the new measure fits into the program’s existing mission: “This is an interesting (and not unexpected) application of the Rewards for Justice program. The key phrase here is, “while acting at the direction or under the control of a foreign government, meaning that the target is not organized criminals writ large, it’s those that are supported by (either overtly or tacitly) by a government … It appears to be an attempt to short-cut the process of detailed attribution that is necessary to implicate a foreign government in collusion or cooperation with organized crime. If the US Government can incentivize someone to provide evidence of such, paying out $10M is probably a good deal considering the resources we bring to bear with the intelligence community for the same outcome.”
Private sector needs to play their part against ransomware attacks
Secretary Alejandro Mayorkas of the Department of Homeland Security also once again reiterated the message that individual businesses will need to play a role in making ransomware attacks less lucrative, and thus less likely. Mayorkas pointed to the new StopRansomware.gov website as a source for consolidated resources and rapid tracing of ransomware, which will include guidance for reporting attacks and regular alerts of new ransomware attacks as they unfold.
The government has stressed public-private collaboration as a vital element in curbing this crisis. Following a May executive order that increased cybersecurity standards for federal contractors, the Biden administration said that American businesses should review their ransomware security and response practices. Direct engagement has thus far been very limited, however. Steven Aiello, security practice director at AHEAD, believes that there will need to be more aggressive public-private engagement to make a serious dent in the problem: “The additional steps being taken by the U.S. government in response to the increased ransomware attacks are without a doubt a step in the right direction. However, the initiatives may not be fully realized without a broader attention put on private sector organizations to expand cybersecurity resources and personnel … Many private sector organizations do not have comprehensive cybersecurity teams in place to make solid use of threat intelligence that the executive order seeks to share … we won’t see optimal success unless there are moves made to address the hiring challenges. The new website, stopransomware.gov, for example, could actually do more harm than good for organizations that already don’t have a firm grasp on proper cyber security processes. One way to address the talent crisis and return the industry to a healthy ecosystem would be to add a scholarship program to the list of new initiatives. This would get people involved in a field that lacks professionals, fulfill a dire need and help from a jobs perspective.”
The administration has made a number of declarations to date that directly address the epidemic of ransomware, but relatively few concrete elements have been put into place as of yet. For example, the new requirements for federal contractors created by the May executive order on cybersecurity are rolling out slowly over an as-of-yet indeterminate period, though the only immediate requirement was a change to reporting procedures. The changes are expected to be on an aggressive schedule, with some targeted to be in place by the end of the year, but others may require Congressional approval and could take longer to work out. The total package of proposals substantially beefs up the nation’s readiness and ability to respond to ransomware attacks, but actually putting all the elements into place could take some time.
Will the rewards program work?
Roger Grimes, data driven defense evangelist at KnowBe4, had additional questions about how effective the offer of rewards will ultimately be in countering the threat: “Anything that gets us closer to putting down malware and malicious hackers is a good thing, and this is just another tool to do so. With that said, I’m not sure how large rewards have done against foreign adversaries in the past. We’ve offered pretty huge rewards in real, past, kinetic wars, that went unclaimed. But it can’t hurt. I applaud it. We might get lucky. The question is what to do with the information if we get it and will it matter? We have no legal jurisdiction to pursue any identified criminals in most of the foreign countries hosting many of the cybersecurity criminals. The criminals are often directly protected by the leaders of their countries or paying enough bribes to legal and political protectors that any amount of even really good information will not turn into people arrested and cybercriminal shops permanently closed.”
The payment program for information on ransomware attacks is expected to roll out quickly, however, with the government taking the unprecedented step of setting up channels on the dark web for the reporting of this information and potentially even paying out the reward money in cryptocurrency (according to a statement by the State Department).